[dkim-dev] Choosing sets of headers to sign
Hector Santos
hsantos at santronics.com
Mon Jan 15 03:35:11 PST 2007
Dave Crocker wrote:
> Murray, et al,
>
> 1. How would the verifier be given a list? Via the BCP you cite, or
> something else?
IMO, this touches base with SSP (domain policy ideas) which is no
secret, I believe is an important aspect of helping put it all "together."
But in general, I believe you are dealing section 5.4. It provides some
guidance, but I think it is subjective.
> 2. Is there only one list, or for example, might different styles of
> messaging produce different set of required (or expected) signatures?
A few default strategies:
- non-mailing list transactions:
From:
To:
Subject:
Date:
Message-Id:
[Sender:]
[Reply-Id:]
- mailing list transactions (3rd party):
From:
To:
Date:
Message-Id:
Sender:
List-Id:
[Reply-Id:]
[DKIM-Signature:] for resigns
> 3. Absent a BCP or the like, is there a problem with having -base be
> silent on list any required fields (other than From)?
I personally think it should be more fundamental with a discussion on
the typical basic fields of an "electronic message", i.e., From:, To:,
Date: and Subject: These are essentially guaranteed to be part of all
mail systems.
> The basis for this question is the concern that publishing -base
> without a list would produce different signing choices and a confusion
> of how to interpret those differences, or a failure to handle them
> differently.
Well, sure, I haven't check in recent months, but during R&D, it did
raise my eyebrow seeing some messages signed with all headers or headers
that were subject to change or removal. This was particularly difficult
to cipher when they were multiple signatures. So sure, guidance should
be stipulated for some default headers to be considered depending on the
route a message may take (direct or mailing list).
---
HLS
More information about the dkim-dev
mailing list